# Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

## Presentation on theme: "Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication."— Presentation transcript:

Rennes, 23/10/2014 Cristina Onete maria-cristina.onete@irisa.fr Commitment Schemes and Identification/Authentication

 Commitment Schemes AliceBob  Example : Alice and Bob must agree who will clean tonight They are at their offices. Each tosses a coin & they call:  If tosses are the same, then Alice cleans  If tosses are different, then Bob cleans Who talks first? Bob Alice Cristina Onete || 24/10/2014 || 2

 Commitment Schemes Alice Bob  Alice and Bob toss Alice talks first Bob talks first Bob Alice  How can we avoid this? Bob says he tossed the same value Alice says she tossed the opposite value Cristina Onete || 24/10/2014 || 3

 Commitment Schemes AliceBob  Commitment: an envelope with a strange seal Alice talks first Commit phase: she hides toss in envelope, gives it to Bob Reveal phase: Alice tells Bob how to unseal envelope Bob reveals toss Bob cleans Cristina Onete || 24/10/2014 || 4

 Commitment Schemes AliceBob  Properties: Hiding: The content of the envelope is not visible Bob doesn’t know anything about Alice’s toss Binding: Alice can’t change the content in the envelope Alice can’t cheat after getting Bob’s toss Cristina Onete || 24/10/2014 || 5

 Commitment Schemes Alice Bob  Formally:  Commitment hiding: ……………………  Commitment binding: Cristina Onete || 24/10/2014 || 6

 Pedersen Commitments AliceBob …………………… Impossible Cristina Onete || 24/10/2014 || 7

 Pedersen Commitments AliceBob ……………………  Hiding: Cristina Onete || 24/10/2014 || 8

 DLog-based Commitments AliceBob ……………………  Computationally hiding: DLog  Perfectly binding by construction Cristina Onete || 24/10/2014 || 9

 Cristina Onete || 25/09/2014 || 10 Exercise 1  Consider a hash function H  Use the commitment scheme  Is this commitment binding if H is one-way?  If H is one-way, is this commitment hiding?

 Cristina Onete || 25/09/2014 || 11 Exercise 2  Use the commitment scheme  Is this commitment binding?  Is this commitment hiding?  What happens if the value s is known?

 Cristina Onete || 25/09/2014 || 12 Exercise 3  Use the commitment scheme  Is this commitment hiding?  Is this commitment binding?

 Cristina Onete || 25/09/2014 || 13 Identification & Authentication ProverVerifier  Goal (identification) : The prover wants to convince the verifier she is who she pre- tends to be Example: interview/application/exam  Goal (authentication) : Prover wants to prove she’s legitimate Example: owner of a house, student at University, etc ID

 Cristina Onete || 25/09/2014 || 14 Challenge-Response  Two-move protocol Verifier starts, sending a challenge Prover sends a response Based on the challenge-response, the verifier must make his decision ProverVerifier challenge response

 Cristina Onete || 25/09/2014 || 15 Challenge-Response Prover Verifier challenge response  Symmetric authentication: Verifier stores a keyring of many keys (each corresponding to one prover) Goal of challenge-response: verifier can decide whether the prover is legitimate or not Shared Property 1: a legitimate prover can always authenticate Property 2: an illegitimate prover can never authenticate

 Cristina Onete || 25/09/2014 || 16 Challenge-Response Prover Verifier challenge response Shared  Exercise 4: Can the set of possible challenges be small?

 Cristina Onete || 25/09/2014 || 17 Challenge-Response Prover Verifier challenge response  Exercise 5: Design a challenge-response protocol using a symmetric encryption function Now use a PK encryption scheme Use a pseudo-random hash function Now use a signature scheme Use a commitment scheme and a 1-way hash function

 Cristina Onete || 25/09/2014 || 18 Exercises  Exercise 6: Prover Verifier Use the protocol above, assuming the hash function produ- ces pseudo-random outputs What is a simple denial-of-service attack that an attacker can run against a verifier who stores very many keys?

 Cristina Onete || 25/09/2014 || 19 Exercises Prover Verifier  Exercise 7: A mutual authentication protocol is one in which both parties can verify the legitimacy of their partner Start from a basic 2-move challenge-response protocol. Can you think of a 3-move protocol that ensures MUTUAL authentication? Design a mutual authentication protocol using only a (keyed) hash function. What are the required properties?

CIDRE Thanks!